http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 Versions affected: BIND 9.0.x (all versions of BIND 9.0) BIND 9.1.x (all versions of BIND 9.1) BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.6-P1, 9.2.7b1, 9.2.7rc1 and 9.2.7rc2 BIND 9.3.0, 9.3.1, 9.3.2, 9.3.2-P1, 9.3.3b1, 9.3.3rc1 and 9.3.3rc2 BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1 and 9.4.0b2 We have a number of these in portage, including stable. The fix is to recompile against a good version of OpenSSL and then update keys, so it requires user action. USE="ssl" is a default for bind-9.3.2-r4 which is the current stable.
Bind please comment and bump as necessary.
so i should bump 'em all with "good" openssl in DEPEND?
I believe so. :) see: http://www.gentoo.org/security/en/glsa/glsa-200609-05.xml for the minimum openssl and baselibs (amd64) versions.
sup here?
So ... events have overtaken this bug and GLSA 200702-06 should have caused everyone to upgrade and rebuild against good openSSL versions. I think we can close this (though there is some tree cleanup remaining for vulnerable bind versions).
